COMMAND
Cisco ATA-186 admin password can be trivially circumvented
SYSTEMS AFFECTED
Cisco ATA-186
PROBLEM
In Patrick Michael Kane [http://www.wealsowalkdogs.com] post :
The Cisco ATA-186 Analog Telephone adapter interfaces \"legacy\" analog
telephones to VoIP networks. The adapter can be configured via a web
interface, that typically requires a password to access.
Unfortunately, this password protection can be trivially circumvented.
On two ATA-186s that we tested, both running that latest released
firmware (v2.14) a simple HTTP POST containing a single byte would
cause the ATA-186 to display its configuration screen.
Using curl, for example:
curl -d a http://ata186.example.com/dev
Reveals the configuration for the device. Since the device does not
hash its password, the actual password can be gleaned from this screen.
The device can also be reconfigured in this way by constructing an HTTP
POST with the appropriate parameters.
The same URL is used to authenticate to the device and modify its
configuration. A review of the HTML source code for the configuration
tool screen reveals no hidden parameters that could be used to maintain
state. As a result, we believe that the device is using the type and
number of HTTP inputs to determine whether to allow configuration.
For example, if three \"ChangeUIPasswd\" arguments are supplied to the
device without any values, it displays the login screen. Similarly, if
three ChangeUIPasswd values are supplied, one with a value that does
not match the password stored in the device\'s configuration, the login
screen is displayed again.
If anything else is supplied, the device appears to assume that the
user has authenticated and is supplying a configuration. Humorously,
passing only two \"ChangeUIPasswd\" arguments to the device causes it
to allow configuration.
SOLUTION
Update (24 May 2002)
======
See :
http://www.cisco.com/warp/public/707/ata186-password-disclosure.shtml